sean/sudo-nopasswd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
215af661d70b3f56884a6234da7d80b084c601da
sudo-nopasswd/README.md

182 lines
4.5 KiB
Markdown
Raw Blame History

# sudo-nopasswd
![Logo](./docs/icons/512x512/sudo-nopasswd.png)
Manage a curated list of commands that members of the `sudo` group can run without a password prompt.
This project keeps command policy in `/etc/sudo-nopasswd`, then automatically syncs it into `/etc/sudoers` as a single `NOPASSWD` rule.
## What It Does
- Edits command policy in `/etc/sudo-nopasswd`
- Resolves command names to full paths using `command -v`
- Escapes `sudoers` special characters for safety
- Updates or removes the `%sudo ... NOPASSWD:` line in `/etc/sudoers`
- Validates syntax with `visudo -c`
- Reverts from backup if validation fails
- Watches policy changes and reapplies updates automatically via service
## Components
- `src/sudo-nopasswd`: interactive editor helper for `/etc/sudo-nopasswd`
- `src/update-sudo-nopasswd`: applies policy to `/etc/sudoers`
- `src/watch-sudo-nopasswd`: watches for file changes and triggers updates
- `src/sudo-nopasswd.service`: systemd unit
- `src/sudo-nopasswd.init`: OpenRC init script
- `build/install.sh`: installs binaries/service files and enables service
- `build/uninstall.sh`: removes service, binaries, and shared files
## Requirements
Runtime requirements:
- `bash`
- `sudo`
- `visudo` (normally from the `sudggo` package)
- `inotifywait` (from `inotify-tools`)
- Init system:
- `systemd` (`systemctl`), or
- `OpenRC` (`rc-update`, `rc-service`)
Build/package helper requirements:
- For Debian package helper scripts: `docker`
- For Gentoo helper script: `emerge`
## Quick Start
1. Install from source:
```bash
cd /path/to/sudo-nopasswd
./build/install.sh
```
2. Add commands:
```bash
sudo-nopasswd
```
3. Save and exit your editor. The tool runs `update-sudo-nopasswd` immediately, and the background watcher keeps changes in sync.
4. Verify:
```bash
sudo -k
sudo <command-you-added>
```
If configured correctly, the command should run without a password prompt.
## Policy File Format
Policy file: `/etc/sudo-nopasswd`
- One command per line (preferred)
- First token is resolved with `command -v`
- Extra arguments on the line are kept
Example:
```text
systemctl restart nginx
apt update
/usr/bin/journalctl -xe
```
Notes:
- If command resolution fails, the resulting entry may be empty or invalid for your intent. Use fully qualified paths for strict control.
- Keep this file root-owned and writable only by trusted admins.
## Service Behavior
On install, the project:
- Creates `/etc/sudo-nopasswd` if missing
- Installs binaries to `/usr/bin`
- Installs shared constants in `/usr/share/sudo-nopasswd`
- Installs and enables either:
- `sudo-nopasswd.service` (systemd), or
- `sudo-nopasswd.init` (OpenRC)
The watcher listens for `close_write` events on `/etc/sudo-nopasswd` and runs `update-sudo-nopasswd` after each save.
## Manual Operations
Run update once:
```bash
sudo update-sudo-nopasswd
```
Start/enable service manually (systemd):
```bash
sudo systemctl daemon-reload
sudo systemctl enable --now sudo-nopasswd.service
```
Start/enable service manually (OpenRC):
```bash
sudo rc-update add sudo-nopasswd.init default
sudo rc-service sudo-nopasswd.init start
```
## Uninstall
```bash
cd /path/to/sudo-nopasswd
./build/uninstall.sh
```
This stops/disables the service, removes installed files, and removes `/etc/sudo-nopasswd` if it is empty.
## Packaging Helpers
### Debian helper
```bash
./build/build-deb.sh
```
This script builds in a Debian Docker container and places `.deb` artifacts in `dist/`.
### Gentoo helper
```bash
./build/build-gentoo.sh
```
This script configures a local overlay and emerges `app-admin/sudo-nopasswd-1.0`.
## Security Considerations
- `NOPASSWD` reduces friction but increases risk if command scope is too broad.
- Prefer exact binary paths and minimal argument patterns.
- Review `/etc/sudo-nopasswd` regularly and keep it under change control.
- Test changes in a non-production environment first.
## Troubleshooting
- `No editor found`: set `EDITOR` (for example `EDITOR=vim sudo-nopasswd`).
- `Unsupported init system`: install/run on a host with systemd or OpenRC.
- Update fails with syntax issues: the tool restores `/etc/sudoers` from backup automatically.
- Watcher does not react: ensure `inotifywait` is installed and the service is running.
## Repository Layout
```text
build/ install, uninstall, and packaging scripts
debian/ Debian packaging metadata/helpers
gentoo/ Gentoo ebuild and metadata
src/ core scripts and service definitions
docs/ project assets/icons
```
## License
GPL-3. See `debian/copyright` for packaging license metadata.
Reference in New Issue View Git Blame Copy Permalink